Phishing simulation Awareness training Data breach detection About Blog Resources Pricing Contact
Get started Log in

What is ransomware?

Ransomware attacks have been named by several organisations as one of the biggest cyber threats to businesses, both now and in the cyberworld's future.

03-05-2022 - 15 minute read. Posted in: hacking.

What is ransomware?

Understanding ransomware: How it works and how to stay protected

Ransomware is one of the most serious cyber threats businesses face today. The ransomware definition refers to a type of malware that restricts access to files or systems, often by encrypting them, and demands a ransom payment to restore access. These attacks can paralyze entire networks, lead to massive financial losses, and compromise sensitive data. With attackers constantly refining their tactics, it’s more important than ever for organizations to understand how ransomware works and how to defend against it.

What is ransomware?

At its core, ransomware is a type of malicious software – malware – that prevents users from accessing their files, systems, or devices. The attacker typically demands a ransom payment, often in cryptocurrency, in exchange for restoring access. Modern ransomware variants have evolved to include highly advanced encryption methods and additional forms of coercion, as well as other forms of ransomware or malware that may be used in conjunction, making them more dangerous than ever. The emergence of new variants has introduced changes in propagation methods and behaviors, increasing the threat level. A new variant can introduce different behaviors or propagation routines, making detection and prevention more challenging.

There are two primary types of ransomware, each with its own approach to blocking access:

  • Locker ransomware blocks access to the entire device or system. It does not encrypt files but locks the computer screen and displays a ransom message.

  • Crypto ransomware encrypts files, rendering them inaccessible unless the victim pays for a decryption key. This version is more common and more harmful to businesses, as it can make critical data unusable. Changes in file extensions or suspicious file renaming are often signs of a ransomware infection, as the malware targets specific file types on the system.

Some modern strains go even further by threatening to release stolen data publicly if the ransom is not paid, adding an extra layer of pressure.

History and evolution of ransomware

Ransomware has a surprisingly long history, dating back to the late 1980s with the emergence of the AIDS Trojan – an early ransomware variant that spread via floppy disks and demanded payment to unlock encrypted files. Early ransomware variants would often overwrite or encrypt user files while sometimes preserving or referencing the original files during the attack process, manipulating or recovering the original data as part of their tactics. Since then, ransomware attacks have evolved dramatically, becoming one of the most persistent ransomware threats facing organizations today. Over the years, attackers have adopted increasingly advanced encryption techniques, making it harder for victims to recover their files without specialized ransomware solutions. The introduction of ransomware-as-a-service (RaaS) platforms has further fueled the rise in attacks, allowing even less technically skilled criminals to launch sophisticated campaigns. Recent ransomware attacks like WannaCry and NotPetya have demonstrated the devastating impact these threats can have, crippling businesses and public services worldwide. As ransomware continues to evolve, staying informed and proactive is essential to prevent ransomware attacks and protect valuable files from being lost to the next ransomware variant.

Want to understand how the criminal business model behind RaaS works and why it’s fueling modern ransomware attacks? Explore our in-depth guide to ransomware-as-a-Service.

How ransomware attacks work

Ransomware doesn’t just appear on a system – it requires an entry point. Attackers use several techniques to gain access to devices or networks, often by exploiting human error or system vulnerabilities.

Typical infection methods include:

  • Phishing emails, where attackers trick users into clicking a malicious link or downloading harmful attachments.

  • Drive-by downloads happen when malicious software is installed on a device simply by visiting an infected or compromised website – often without the user ever clicking or downloading anything intentionally.

  • Exploit kits that take advantage of known software vulnerabilities to install ransomware silently.

  • Malvertising, where infected ads on legitimate websites lead to ransomware downloads.

  • Infected USB drives or external devices, which can spread ransomware once plugged into a system.

  • Weak Remote Desktop Protocol (RDP) credentials, allowing attackers to gain remote access and deploy ransomware manually.

The victim's computer is often the primary target, as attackers use these methods to gain access and deploy ransomware onto the victim's computer.

Attackers use different tactics, such as watering hole attacks or fake police notices, to spread ransomware and infect victims across various regions.

Once installed, the ransomware quickly spreads, encrypts files, and presents a ransom note with payment instructions and threats of data loss or exposure.

How ransomware spreads

Ransomware can infiltrate systems through a variety of attack vectors, making it a versatile and dangerous cyber threat. One of the most common methods is through malicious attachments in phishing emails – when unsuspecting users open these attachments, their computers can become infected. Infected software downloads are another risk, as installing compromised programs can introduce ransomware directly into the operating system. Attackers also exploit vulnerabilities in operating systems, such as the infamous EternalBlue exploit used in the WannaCry attack, to spread ransomware rapidly across entire computer networks. Mobile devices are not immune either; ransomware can infect smartphones and tablets, putting valuable files at risk. Because ransomware can move quickly from one infected device to others, it’s crucial to implement strong security practices to prevent ransomware infections and safeguard your computer and data.

Types of ransomware

Ransomware comes in different forms, each with distinct behaviors and goals. Recognizing the type of ransomware can help organizations respond effectively and reduce damage.

Here are the most common categories:

  • Encrypting ransomware encrypts user data and demands payment for the decryption key. Examples include WannaCry and CryptoLocker.

  • Locking ransomware locks users out of their systems without encrypting files. Notable examples are Reveton and Police Ransomware. Some variants, such as Reveton, impersonate the FBI or other federal bureau to intimidate victims and demand payment.

  • Doxware (extortionware) threatens to release sensitive or personal information unless a ransom is paid. Jigsaw and Popcorn Time fall into this category.

  • Ransomware-as-a-Service (RaaS) allows criminals to rent ransomware tools and share profits with developers. REvil and GandCrab are high-profile examples.

  • Targeted ransomware is designed for specific victims, using tailored attack vectors to bypass security. These attacks often target different operating systems, such as Windows and Linux, to maximize their reach and impact. Examples include NotPetya and Bad Rabbit.

Understanding these distinctions is essential for building an effective defense strategy.

Targets of ransomware

Ransomware attacks are not limited to any single group – they target a wide spectrum of victims, from individuals to large organizations and even critical infrastructure. Recent ransomware attacks have struck hospitals, government agencies, and private companies, disrupting business operations and threatening sensitive data. For example, the Hollywood Presbyterian Medical Center was forced to pay a significant ransom to regain access to its computer systems after a ransomware attack halted essential services. Attackers often focus on organizations where downtime can have severe consequences, such as healthcare, transportation, and utilities, but no sector is truly safe. The impact of these attacks can be devastating, leading to financial losses, compromised data, and operational chaos. To protect against ransomware threats, it’s vital to invest in effective ransomware solutions and take proactive steps to prevent ransomware attacks before they occur.

Encrypted files and ransomware

A hallmark of ransomware is its ability to encrypt files, locking away important documents, images, and other data until a ransom payment is made. Modern ransomware variants, including targeted ransomware, use advanced encryption algorithms like AES and RSA to ensure that only the attacker holds the decryption key. This makes it nearly impossible for victims to regain access to their data without paying the ransom or having reliable backup files. Encrypting files in this way can bring business operations to a standstill and put sensitive information at risk. In many cases, the victim's data is not only encrypted but may also be leaked or otherwise compromised during a ransomware attack. To protect against these ransomware threats, it’s essential to regularly backup files and implement strong security measures. By doing so, organizations can avoid paying the ransom and ensure they can recover their data even if an attack occurs.

Malicious software and ransomware

Ransomware is a particularly dangerous form of malicious software, or malware, designed to extort money by encrypting files or locking users out of their systems. Attackers often use social engineering tactics, such as phishing emails with malicious attachments, to trick victims into installing the malware. Once inside a computer, ransomware can act as a screen locker or encrypting ransomware, quickly spreading to other devices and files on the network. The consequences can be severe, with victims losing access to critical data and facing demands for ransom payment. To prevent ransomware attacks, it’s crucial to deploy robust security solutions, including antivirus software and firewalls, and to educate users about the risks of malicious attachments. If a ransomware infection does occur, it’s important to notify law enforcement and take immediate steps to remove ransomware from infected systems, helping to protect both your files and your organization from further harm.

Should you pay the ransom?

It may be tempting to pay a ransom in the hope of regaining access quickly, but cybersecurity experts and law enforcement strongly advise against it. There are several risks associated with paying:

  • There’s no guarantee you will receive a working decryption key.

  • Paying fuels further criminal activity by funding the ransomware operation.

  • Financial loss can be significant and may include ransomware payments.

  • It may make your organization a repeat target for future attacks.

Instead, businesses should prioritize prevention, maintain frequent secure backups, and have a clear incident response plan in place.

Consequences of a ransomware attack

The effects of ransomware are wide-reaching and can be devastating – especially if a company is unprepared. In addition to the immediate disruption, there are long-term risks that can affect every part of the business.

Typical consequences include:

  • Financial loss due to ransom payments, system downtime, and recovery costs.

  • Permanent data loss if encrypted files cannot be recovered, meaning the victim's data may be lost forever.

  • Reputational damage, leading to lost customers and reduced trust among stakeholders.

  • Legal and regulatory penalties if personal or customer data is leaked, especially under laws like the GDPR.

  • Operational disruption, with halted services and interrupted workflows.

  • Emotional toll on staff who may feel stressed, anxious, or overwhelmed by the attack.

Ransomware can also expose organizations to significant security issues, such as increased vulnerability to future attacks and the need for improved cybersecurity measures.

The longer it takes to respond, the higher the cost and impact.

Notable ransomware incidents

Over the past decade, ransomware has caused some of the most disruptive and costly cyberattacks in history, with recent attacks underscoring the ongoing and evolving threat. These cases highlight how dangerous and widespread the threat has become:

  • WannaCry (2017) infected over 250,000 systems across 150 countries by exploiting a Windows vulnerability. It affected hospitals, telecom providers, and transportation systems.

  • NotPetya (2017) initially targeted Ukraine but quickly spread globally to other countries. It acted more like a wiper than true ransomware, causing irreversible data loss.

  • CryptoLocker (2013) was among the first ransomware campaigns to demand Bitcoin, spreading through malicious email attachments. It used a public key to encrypt the victim's files, and decryption required a private key held by the attacker, making recovery impossible without paying the ransom.

  • Bad Rabbit (2017) used fake Adobe Flash updates to infect media and government networks in Eastern Europe.

These notorious examples demonstrate why no organization can afford to ignore ransomware risks. Moreover, recent targeted attacks show how cybercriminals have shifted focus to critical sectors:

In June 2025, Yes24, South Korea’s leading ticketing platform, was hit by ransomware, halting K-pop ticket sales and exposing vulnerabilities in entertainment and e-commerce infrastructure.

Earlier in May 2025, the Mediclinic healthcare group suffered an attack by the Everest ransomware gang, resulting in major service disruptions across multiple countries.

These incidents demonstrate why no organization can afford to ignore ransomware risks.

How to protect against ransomware

Prevention is the most effective strategy. By taking a proactive approach, businesses can dramatically reduce their risk and prepare for rapid recovery in the event of an attack.

Key preventative measures include:

  • Regular software updates and patching to eliminate known vulnerabilities.

  • Reliable antivirus and anti-malware tools that detect and block ransomware, such as solutions from Trend Micro.

  • Secure, frequent data backups stored offline or in isolated cloud environments, with special attention to protecting cloud workloads as part of a comprehensive backup strategy.

  • Employee training programs to help staff recognize phishing attempts and avoid risky behavior.

  • Advanced endpoint protection with behavioral monitoring and intrusion detection.

  • Network segmentation to limit ransomware’s ability to spread across systems.

  • Zero Trust architecture, which ensures strict access control for all users and devices.

Protecting your business from ransomware

Ransomware attacks continue to be one of the most pressing cyber threats facing businesses today. With attackers constantly developing new ransomware variants and tactics, organizations must take a proactive approach to prevent ransomware attacks and minimize the risk of a successful breach. Protecting your business from ransomware threats requires more than just basic antivirus software – it demands a comprehensive, multi-layered defense strategy.

To effectively guard against ransomware, consider these essential steps:

  • Implement strong access controls: Limit user permissions and ensure that only authorized personnel can access sensitive data or critical systems. This reduces the risk of ransomware spreading across your network if an account is compromised.

  • Educate employees about cyber threats: Regularly train staff to recognize phishing emails, suspicious links, and malicious attachments, which are common entry points for ransomware attacks. Awareness is a powerful tool in preventing ransomware infections.

  • Enforce strict email and web filtering: Use advanced security solutions to block malicious emails, websites, and downloads that could deliver ransomware to your systems.

  • Patch and update all software: Keep your operating systems, applications, and security tools up to date to close vulnerabilities that ransomware attackers often exploit.

  • Monitor network activity: Deploy tools that can identify threats and detect unusual behavior, such as unauthorized file encryption or large data transfers, which may signal a ransomware operation in progress.

  • Segment your network: Divide your network into separate zones to contain the spread of ransomware and protect valuable files and systems from being compromised in a single attack.

  • Develop and test an incident response plan: Prepare your team to respond quickly to ransomware attacks, ensuring everyone knows their role in containing the threat and restoring business operations.

By taking these proactive measures, businesses can significantly reduce their exposure to ransomware threats and strengthen their overall cybersecurity posture. Remember, the best way to prevent ransomware attacks is to stay vigilant, keep security practices up to date, and foster a culture of cyber awareness throughout your organization.

Incident response and recovery

Despite best efforts, no system is completely immune. A well-structured response plan can contain damage and speed up recovery.

Recommended steps after an attack:

  • Immediately isolate affected systems and identify infected devices to prevent the spread of ransomware.

  • Identify the entry point and check for malicious code that may have been used in the attack, then close security gaps to avoid further infection.

  • Report the attack to relevant authorities and cybersecurity professionals.

  • Recover systems from secure backups, if available, but ensure the infected system is addressed and cleaned before restoring. Rebooting into safe mode can help halt the spread of ransomware and facilitate removal, though it may not recover encrypted files.

  • Conduct a thorough post-incident review to strengthen future defenses.

Being prepared makes all the difference between a minor disruption and a major crisis.

The future of ransomware

Ransomware threats are likely to become even more complex in the coming years. Cybercriminals are increasingly adopting advanced technologies and targeting new platforms.

Trends shaping the future of ransomware include:

  • Use of artificial intelligence and machine learning, allowing ransomware to evade detection and adapt to security defenses in real-time.

  • Targeting of IoT devices, which often lack built-in security and can be exploited to cause large-scale damage.

  • Increased focus on cloud infrastructure, especially as more organizations move their operations to cloud-based platforms.

  • Greater emphasis on prevention, with businesses shifting from reactive to proactive cybersecurity strategies.

  • Stronger collaboration across sectors, including government agencies, security firms, and private companies sharing threat intelligence and best practices.

The evolving nature of ransomware requires constant vigilance, investment in cybersecurity, and a culture of awareness.

Final thoughts

Ransomware is a fast-growing and ever-changing threat that can impact organizations of all sizes. By understanding how it works, learning from past attacks, and implementing layered security measures, businesses can better defend themselves. Prioritizing cybersecurity isn't just a technical necessity – it’s a business imperative.

This post has been updated on 16-06-2025 by Sarah Krarup.

Author Sarah Krarup

Sarah Krarup

Sarah studies innovation and entrepreneurship with a deep interest in IT and how cybersecurity impacts businesses and individuals. She has extensive experience in copywriting and is dedicated to making cybersecurity information accessible and engaging for everyone.

View all posts by Sarah Krarup

Similar posts

Stay secure when working remotely
awareness

Stay secure when working remotely

Remote working is valued by many, but it also makes both employees and workplaces more vulnerable to cyber attacks and data breaches.

20-02-2023 · 9 min.
Benefits of having a whistleblower scheme
whistleblowing

Benefits of having a whistleblower scheme

Here you can read about some of the benefits of having a whistleblower scheme at work. These include transparency and a good working culture.

28-02-2023 · 5 min.
Securing your email against cyber attacks in 2023
awareness

Securing your email against cyber attacks in 2023

The cyber threat is growing, so we need to be more vigilant. Here we take a look at important things you can do for better email security.

12-09-2023 · 5 min.